draft-ietf-oauth-amr-values-03.txt   draft-ietf-oauth-amr-values-04.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track P. Hunt Intended status: Standards Track P. Hunt
Expires: April 17, 2017 Oracle Expires: May 17, 2017 Oracle
A. Nadalin A. Nadalin
Microsoft Microsoft
October 14, 2016 November 13, 2016
Authentication Method Reference Values Authentication Method Reference Values
draft-ietf-oauth-amr-values-03 draft-ietf-oauth-amr-values-04
Abstract Abstract
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry but no registered in the IANA "JSON Web Token Claims" registry but no
standard Authentication Method Reference values are currently standard Authentication Method Reference values are currently
defined. This specification establishes a registry for defined. This specification establishes a registry for
Authentication Method Reference values and defines an initial set of Authentication Method Reference values and defines an initial set of
Authentication Method Reference values. Authentication Method Reference values.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 17, 2017. This Internet-Draft will expire on May 17, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 22
1.1. Requirements Notation and Conventions . . . . . . . . . . 3 1.1. Requirements Notation and Conventions . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Authentication Method Reference Values . . . . . . . . . . . 3 2. Authentication Method Reference Values . . . . . . . . . . . 3
3. Relationship to "acr" (Authentication Context Class 3. Relationship to "acr" (Authentication Context Class
Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5 Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6.1. Authentication Method Reference Values Registry . . . . . 6 6.1. Authentication Method Reference Values Registry . . . . . 6
6.1.1. Registration Template . . . . . . . . . . . . . . . . 7 6.1.1. Registration Template . . . . . . . . . . . . . . . . 7
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12
Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Appendix C. Document History . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry registered in the IANA "JSON Web Token Claims" registry
[IANA.JWT.Claims] but no standard Authentication Method Reference [IANA.JWT.Claims] but no standard Authentication Method Reference
values are currently defined. This specification establishes a values are currently defined. This specification establishes a
registry for Authentication Method Reference values and defines an registry for Authentication Method Reference values and defines an
initial set of Authentication Method Reference values. initial set of Authentication Method Reference values.
skipping to change at page 6, line 12 skipping to change at page 6, line 12
time, both because of the evolution of attacks on existing methods time, both because of the evolution of attacks on existing methods
and the deployment of new authentication methods. and the deployment of new authentication methods.
4. Privacy Considerations 4. Privacy Considerations
The list of "amr" claim values returned in an ID Token reveals The list of "amr" claim values returned in an ID Token reveals
information about the way that the end-user authenticated to the information about the way that the end-user authenticated to the
identity provider. In some cases, this information may have privacy identity provider. In some cases, this information may have privacy
implications. implications.
While this specification defines identifiers for particular kinds of
credentials, it does not define how these credentials are stored or
protected. For instance, ensuring the security and privacy of
biometric credentials that are referenced by some of the defined
Authentication Method Reference values is beyond the scope of this
specification.
5. Security Considerations 5. Security Considerations
The security considerations in OpenID Connect Core 1.0 [OpenID.Core], The security considerations in OpenID Connect Core 1.0 [OpenID.Core]
OAuth 2.0 [RFC6749], and the OAuth 2.0 Threat Model [RFC6819] apply and OAuth 2.0 [RFC6749] and the OAuth 2.0 Threat Model [RFC6819]
to this specification. apply to applications using this specification.
As described in Section 3, taking a dependence upon particular As described in Section 3, taking a dependence upon particular
authentication methods may result in brittle systems, since the authentication methods may result in brittle systems, since the
authentication methods that may be appropriate for a given authentication methods that may be appropriate for a given
authentication will vary over time. authentication will vary over time.
6. IANA Considerations 6. IANA Considerations
6.1. Authentication Method Reference Values Registry 6.1. Authentication Method Reference Values Registry
skipping to change at page 12, line 10 skipping to change at page 12, line 15
[RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP: [RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP:
Time-Based One-Time Password Algorithm", RFC 6238, Time-Based One-Time Password Algorithm", RFC 6238,
DOI 10.17487/RFC6238, May 2011, DOI 10.17487/RFC6238, May 2011,
<http://www.rfc-editor.org/info/rfc6238>. <http://www.rfc-editor.org/info/rfc6238>.
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
DOI 10.17487/RFC6819, January 2013, DOI 10.17487/RFC6819, January 2013,
<http://www.rfc-editor.org/info/rfc6819>. <http://www.rfc-editor.org/info/rfc6819>.
Appendix A. Acknowledgements Appendix A. Examples
In some cases, the "amr" claim value returned may contain a single
Authentication Method Reference value. For example, the following
"amr" claim value indicates that the authentication performed used an
iris scan biometric:
"amr": ["iris"]
In other cases, the "amr" claim value returned may contain multiple
Authentication Method Reference values. For example, the following
"amr" claim value indicates that the authentication performed used a
password and knowledge-based authentication:
"amr": ["pwd", "kba"]
Appendix B. Acknowledgements
Caleb Baker participated in specifying the original set of "amr" Caleb Baker participated in specifying the original set of "amr"
values. John Bradley, Brian Campbell, William Denniss, James Manger, values. John Bradley, Brian Campbell, William Denniss, James Manger,
Nat Sakimura, and Mike Schwartz provided reviews of the Nat Sakimura, and Mike Schwartz provided reviews of the
specification. specification.
Appendix B. Document History Appendix C. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-03 -04
o Added examples with single and multiple values.
o Clarified that the actual credentials referenced are not part of
this specification to avoid additional privacy concerns for
biometric data.
o Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to
applications using this specification.
-03
o Addressed shepherd comments. o Addressed shepherd comments.
-02 -02
o Addressed working group last call comments. o Addressed working group last call comments.
-01 -01
o Distinguished between retina and iris biometrics. o Distinguished between retina and iris biometrics.
o Expanded the introduction to provide additional context to o Expanded the introduction to provide additional context to
 End of changes. 12 change blocks. 
15 lines changed or deleted 47 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/